diff --git a/internal/controllers/http_controllers/question/question.go b/internal/controllers/http_controllers/question/question.go index 1fa2986..2b12d74 100644 --- a/internal/controllers/http_controllers/question/question.go +++ b/internal/controllers/http_controllers/question/question.go @@ -48,6 +48,15 @@ func (r *Question) CreateQuestion(ctx *fiber.Ctx) error { if err := ctx.BodyParser(&req); err != nil { return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data") } + + isOwner, err := r.dal.QuizRepo.CheckQuizOwner(ctx.Context(), accountID, req.QuizId) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + if utf8.RuneCountInString(req.Title) >= 512 { return ctx.Status(fiber.StatusUnprocessableEntity).SendString("title field should have less then 512 chars") } @@ -120,6 +129,11 @@ type GetQuestionListResp struct { // GetQuestionList handler for paginated list question // todo нужна проверка на то что квиз принадлежит пользователю, не помешает func (r *Question) GetQuestionList(ctx *fiber.Ctx) error { + accountID, ok := middleware.GetAccountId(ctx) + if !ok { + return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required") + } + var req GetQuestionListReq if err := ctx.BodyParser(&req); err != nil { return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data") @@ -142,6 +156,15 @@ func (r *Question) GetQuestionList(ctx *fiber.Ctx) error { "'test','none','file', 'button','select','checkbox'") } + isOwner, err := r.dal.QuizRepo.CheckQuizOwner(ctx.Context(), accountID, req.QuizId) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + res, cnt, err := r.dal.QuestionRepo.GetQuestionList(ctx.Context(), req.Limit, req.Page*req.Limit, @@ -182,6 +205,11 @@ type UpdateResp struct { // UpdateQuestion handler for update question // todo нужна проверка на то что квиз принадлежит пользователю, не помешает func (r *Question) UpdateQuestion(ctx *fiber.Ctx) error { + accountID, ok := middleware.GetAccountId(ctx) + if !ok { + return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required") + } + var req UpdateQuestionReq if err := ctx.BodyParser(&req); err != nil { return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data") @@ -191,6 +219,15 @@ func (r *Question) UpdateQuestion(ctx *fiber.Ctx) error { return ctx.Status(fiber.StatusFailedDependency).SendString("need id of question for update") } + isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + if utf8.RuneCountInString(req.Title) >= 512 { return ctx.Status(fiber.StatusUnprocessableEntity).SendString("title field should have less then 512 chars") } @@ -261,6 +298,11 @@ type CopyQuestionReq struct { // CopyQuestion handler for copy question // todo копирование может происходить с чужого опроса? если нет тоже проверку надо делать на принадлежность func (r *Question) CopyQuestion(ctx *fiber.Ctx) error { + accountID, ok := middleware.GetAccountId(ctx) + if !ok { + return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required") + } + var req CopyQuestionReq if err := ctx.BodyParser(&req); err != nil { return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data") @@ -270,6 +312,15 @@ func (r *Question) CopyQuestion(ctx *fiber.Ctx) error { return ctx.Status(fiber.StatusFailedDependency).SendString("no id provided") } + isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + question, err := r.dal.QuestionRepo.CopyQuestion(ctx.Context(), req.Id, req.QuizId) if err != nil { return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) @@ -290,6 +341,11 @@ type GetQuestionHistoryReq struct { // GetQuestionHistory handler for history of quiz // todo нужна проверка на то что квиз принадлежит пользователю, не помешает func (r *Question) GetQuestionHistory(ctx *fiber.Ctx) error { + accountID, ok := middleware.GetAccountId(ctx) + if !ok { + return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required") + } + var req GetQuestionHistoryReq if err := ctx.BodyParser(&req); err != nil { return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data") @@ -299,6 +355,15 @@ func (r *Question) GetQuestionHistory(ctx *fiber.Ctx) error { return ctx.Status(fiber.StatusFailedDependency).SendString("no id provided") } + isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + history, err := r.dal.QuestionRepo.QuestionHistory(ctx.Context(), req.Id, req.Limit, req.Page*req.Limit) if err != nil { return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) @@ -332,6 +397,14 @@ func (r *Question) DeleteQuestion(ctx *fiber.Ctx) error { return ctx.Status(fiber.StatusFailedDependency).SendString("id for deleting question is required") } + isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id) + if err != nil { + return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error()) + } + if !isOwner { + return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner") + } + deleted, err := r.dal.QuestionRepo.DeleteQuestion(ctx.Context(), req.Id) if err != nil { return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())